-
Title
Can the directory synchronization be configured to never merge with existing target objects? -
Description
Can Directory Synchronization be configured to never merge with existing target objects?
This may be desirable if:
- You are concerned about duplicate samaccount names, and wish to prevent the sync from incorrectly merging with a target object
- You are using migration sessions to migrate users to the target
-
Cause
N/A
-
Resolution
Yes, the directory synchronization can be configured such that it will only merge into migrated users, therefore preventing any chance of incorrect merging.
To do this, un-select all matching rules by right-clicking the domain pair, opening properties, clicking "Object Matching", and un-checking all three matching rules.
This will cause the DSA to only merge with objects that have the service attributes populated by a migration session.
Please Note: This should only be used for situations where you never want to merge. This means that migration sessions will fail if there is an existing user in the target domain with the same SAMAccountname, email address, or SIDhistory attribute (and Name attribute if this user is in the same OU).
IMPORTANT: If you continue to migrate with the above settings, and are attempting to merge with a target object using an import file, problems may occur with the samaccountname and name attributes, which may make the account invisible in ADUC. Please see the following KB article for more information:
https://support.quest.com/SUPPORT/index?page=solution&id=SOL14651